How to Run Effective Phishing Assessment and Training Campaigns Employees Don’t Hate

According to a recent study by SANS, 95% of all attacks on enterprise networks are the result of successful spear phishing. Other research by Ponemon Institute shows that the average loss on such attacks is $4 million.

Bearing in mind that phishing is becoming more and more common among cyber-criminals and has devastating outcomes (e.g. recent stories about Locky and the surge of ransomware attacks in general), enterprises are keen to fight this ever-increasing threat by any and all means.

Fighting against phishing is no longer just man versus machine. More and more enterprises are adopting user awareness programs on top of traditional antimalware to enhance their anti-phishing capabilities, understanding that employees can serve as a valuable active defense layer inside the organization.

For that to happen – and for the first time ever – we see two major departments joining hands to create a more secured environment – IT and HR.

Yes, it’s definitely not common to see HR as a critical part of reducing cyber risks – however, HR is responsible for employee training, and today cyber training is becoming yet another skill set organizations are asking employees to add.

The IT/security department fights threats 24/7, but for them to use the human factor as an active layer of defense, they must cooperate with HR.

The numbers are already there: assessment and training are significantly increasing employee awareness, reducing click rates, and increasing reports of phishing. However, if you don’t do it right, phishing assessment and training can go very wrong due to employee reactions.

Based on our vast experience, here are the best ways to conduct a successful phishing assessment process.

The 11 Commandments

1. No shaming! – Never, ever publish campaign results publicly.

2. Teach, don’t blame – make the landing page for those who have taken the bite something easy to absorb. Make sure the messages are positive and deliver the right mindset. Focus on the learning, not the problems they would have caused if it were a real attack.

3. Use gamification – make the training fun and interactive. People are tired of bullets and boring videos. Above all, keep it short!

4. Repeat the process at least once every two months – changing behavior is a process. Training is important but continuous assessment is even better to set the right mindset.

5. Take the help desk team into account – some phishing campaigns drive lots of phone calls and emails to the helpdesk. Don’t make them hate training days. Don’t send more emails a day than they can handle. Use embedded report buttons on email clients when possible to allow immediate feedback. It will change their reporting habit for real world attacks as well.

6. DEFINITELY include senior management – they are main targets, especially for spear and whale phishing. Make no exceptions. Publicly promote their participation. It’s a good example for the rest of the company.

7. Time it right. Make it as short and concise as possible. Don’t make it a month-long campaign. The help desk will lose track and won’t be able to follow real phishing attacks. Time it early in the morning but not too early. You want to reach the main population of employees to make sure that most experience it firsthand.

8. Deliver different types of phishing attacks – links, attachments, fake websites requesting usernames/passwords, and requests to download rogue applications. Make it interesting. Make sure enough “signs” indicate that it’s not a real one. Don’t make it too hard, so they don’t feel they have no chance to succeed.

9. Use real-life examples – it’s best to hit your employees with emails that they might actually receive. Change difficulty levels and start from the ground up. Don’t expect people to understand advanced phishing examples from day one. Teach them step by step on both phishing scenarios and training modules.

10. Enforce training, and follow their progress – to make it effective, employees must understand this is serious. They need to be reminded if they ditched the training. It’s your job to make sure they like it. It’s all about the messaging. They need to understand that they have a critical role in protecting the company and its assets.

11. Measure the progress for each phishing scenario type (drive-by/attachments/call for action) over time. Offer prizes to those who show great performance at the end of the year! Incentivize! Show the top 10 departments/employees.

Following these guidelines will assure a constructive assessment process with engaged employees who can appreciate and relate to the process.